Re: [DNSOP] ALT-TLD and (insecure) delgations.

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 07 February 2017 21:53 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 381B31294A4 for <dnsop@ietfa.amsl.com>; Tue, 7 Feb 2017 13:53:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c0ZhmMDtxill for <dnsop@ietfa.amsl.com>; Tue, 7 Feb 2017 13:53:40 -0800 (PST)
Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 974D81288B8 for <dnsop@ietf.org>; Tue, 7 Feb 2017 13:53:40 -0800 (PST)
Received: by mail-io0-x230.google.com with SMTP id j18so101226073ioe.2 for <dnsop@ietf.org>; Tue, 07 Feb 2017 13:53:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wK5ZZQXFEMNMpp7cwaeNku8A1004p+nYGDlyotJG46g=; b=msIL2PV58G19qEsW/+YTHzNdCth7idQxBwphekclwyFhmoCeI7qKGvKxaBVTGIv+zf 40QkgpikCPJyPmeZF4jz94+NgtFsQ8AG5RGI86RjXd+g3mpwg07V5hac3/rP0VpuBhuG BfCsq9tewf8LHbzVvcOfcCgZyX2+xWslkwXmjtazGW4ST5CW1qsdGg6eDa+Myx/QKK4o 26xIVNGax4QT1wnJMAhtsyX8dcUQxNxIgw+KYjHywxOQoZGU+L3riK4GMiqJaWHgd2Um ZX6PVIAKvOVC8549T9maDoNNwDiOKA2RnUGKxcYJBx0yttN9oV7b2aqK6HXjbjTUTaZ0 6Ncg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wK5ZZQXFEMNMpp7cwaeNku8A1004p+nYGDlyotJG46g=; b=XPV8nHotIcaIdeYDPWP8KZ7PG3tXlSfk0sMxKn7z8akAEVGn8DnOr8ldh9xwdxnZrs owjT9krZoXTppXiwU6UkQgI0rYr8chXEsdO+kaqltql6Nk/DTr59BZR+w5cjzycN3miR ppsr3KfBRr6nWmNR6hyT/sYTDynxdCQ3WcSK0bLB0m4kKnU9NDb8g/u/oxCSkb3tTkWi YdR0+ZooE02sRB0/Qa0e83bdYCLjl0kCZ0NzQ8asafTN5T5yGycsTHaO7W3EFQUJ7pTI n39eemgwpCy/M/l2rlh9y1x8Fv4w7o+34KUZ1J/8NbiMmCm2DmuWnpmtTVk+eK+lKXfk ru3w==
X-Gm-Message-State: AMke39mtROjvi/A+Em7IeLnKwOec5b5KZXqLGJbNmJFU5buD9674F2Givl8dxwRi6XB4sP4C6QzsDBXeK+mmVw==
X-Received: by 10.107.16.14 with SMTP id y14mr5839016ioi.164.1486504419957; Tue, 07 Feb 2017 13:53:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.133.208 with HTTP; Tue, 7 Feb 2017 13:53:39 -0800 (PST)
In-Reply-To: <20170207214846.B66EF633C6C5@rock.dv.isc.org>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <20170203210922.7286C618213C@rock.dv.isc.org> <CAH1iCipKwcOsMQY3kjvSZ42LMK37GLD6GP2AVtnWK0c83k-RiA@mail.gmail.com> <20170207040552.8BDCC632F192@rock.dv.isc.org> <3581BE55-B178-4298-8EE8-73FD16B4216D@gmail.com> <D4C0D518-A3ED-4555-93DA-2EA12D82A662@fugue.com> <CAHw9_iK7Vt+ZNw8=E-b+w9gGhwB9fZNqHYp2pqKqT__RgcDttQ@mail.gmail.com> <5CA637EE-C0B6-4E5C-A446-A84431176D0C@fugue.com> <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 7 Feb 2017 13:53:39 -0800
Message-ID: <CAH1iCiomwsNU-aTBSbDjnEka5M+mwwsOoLL5mNQrMe+swtkbiw@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Content-Type: multipart/alternative; boundary=001a113fece2e8a7ce0547f7c7b3
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FEBscRGdRdsRbl65QklCLIGEkLE>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Ted Lemon <mellon@fugue.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 21:53:42 -0000

On Tue, Feb 7, 2017 at 1:48 PM, Mark Andrews <marka@isc.org> wrote:

>
> In message <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com>, Ted Lemon
> writes:
> > Hm.   When I look for foo.alt, what I get is NXDOMAIN, not SERVFAIL.
> > When I validate, I get a secure denial of existence.   This is the
> > correct behavior.   Why do you think we would get a SERVFAIL?
>
> Because your testing is incomplete.
>
> Go add a empty zone (SOA and NS records only) for alt to your
> recursive server.  This is what needs to be done to prevent
> privacy leaks.
>
> Configure another recursive server to forward its queries to this
> server and enable validation.
>
>
I believe this is an erroneous configuration.

You need to have the recursive server (the first one) forward to another
server for the empty zone, otherwise that zone's contents do not end up in
the recursive server's cache.

Once you have that, the other recursive server (added and forwarding to the
first recursive) only gets back the non-leak results.

Since the first server is always forwarding to the empty zone, it never
queries the root, and never gets the authenticated denial of existence.

Brian


> Now ask for foo.alt from this second server.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
>